Results 1  10
of
30
The security of triple encryption and a framework for codebased gameplaying proofs
 EUROCRYPT 2006, volume 4004 of LNCS
, 2006
"... Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaint ..."
Abstract

Cited by 115 (30 self)
 Add to MetaCart
Abstract. We show that, in the idealcipher model, triple encryption (the cascade of three independentlykeyed blockciphers) is more secure than single or double encryption, thereby resolving a longstanding open problem. Our result demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses codebased gameplaying in an integral way, and is facilitated by a framework for such proofs that we provide. 1
CodeBased GamePlaying Proofs and the Security of Triple Encryption
 Eurocrypt 2006, LNCS
"... (Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates t ..."
Abstract

Cited by 40 (10 self)
 Add to MetaCart
(Draft 3.0) The gameplaying technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of threekey tripleencryption, a longstanding open problem. Our result, which is in the idealcipher model, demonstrates that for DES parameters (56bit keys and 64bit plaintexts) an adversary’s maximal advantage is small until it asks about 278 queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for gameplaying proofs and discussing techniques used within such proofs. To further exercise the gameplaying framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security
ChosenCiphertext Security of Multiple Encryption
 In TCC’05, LNCS 3378
, 2005
"... Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this sub ..."
Abstract

Cited by 38 (2 self)
 Add to MetaCart
Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosenplaintext attacks, and has shown constructions secure in this sense based on the chosenplaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosenciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosenciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosenciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identitybased encryption scheme secure against selectiveidentity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes. 1
Cascade Ciphers: The Importance of Being First
, 1993
"... The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that, if the ciphers commute, then a cascade is at least as difficult to break as the mostdifficulttobreak component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ci...
Improving implementable meetinthemiddle attacks by orders of magnitude
 of LNCS
, 1996
"... Abstract. Meetinthemiddle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A wellknown such attack on doubleDES requires 2 56 time and memory; a naive key search would take 2112 time. However, when the attacker is limi ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Abstract. Meetinthemiddle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A wellknown such attack on doubleDES requires 2 56 time and memory; a naive key search would take 2112 time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=2 56 for doubleDES), and w the number of words of memory available for an attack, a technique based on parallel collision search is described which requires O ( ) times fewer operations and O ( ) times fewer memory accesses than previous approaches to meetinthemiddle attacks. For the example of doubleDES, an attacker with 16 Gbytes of memory could recover a pair of DES keys in a knownplaintext attack with 570 times fewer encryptions and 3.7×106 n ⁄ w n ⁄ w times fewer memory accesses compared to previous techniques using the same amount of memory. Key words. Meetinthemiddle attack, parallel collision search, cryptanalysis, DES, low Hamming weight exponents.
Security Amplification by Composition: The case of DoublyIterated, Ideal Ciphers
, 1998
"... We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to & ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
We investigate, in the Shannon model, the security of constructions corresponding to double and (twokey) triple DES. That is, we consider Fk1 (Fk2(\Delta)) and Fk1(F \Gamma 1 k2 (Fk1 (\Delta))) with the component functions being ideal ciphers. This models the resistance of these constructions to "generic" attacks like meet in the middle attacks. We obtain
On robust combiners for private information retrieval and other primitives
 CRYPTO
, 2006
"... Abstract. Let A and B denote cryptographic primitives. A (k, m)robust AtoB combiner is a construction, which takes m implementations of primitive A as input, and yields an implementation of primitive B, which is guaranteed to be secure as long as at least k input implementations are secure. The ma ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
Abstract. Let A and B denote cryptographic primitives. A (k, m)robust AtoB combiner is a construction, which takes m implementations of primitive A as input, and yields an implementation of primitive B, which is guaranteed to be secure as long as at least k input implementations are secure. The main motivation for such constructions is the tolerance against wrong assumptions on which the security of implementations is based. For example, a (1,2)robust AtoB combiner yields a secure implementation of B even if an assumption underlying one of the input implementations of A turns out to be wrong. In this work we study robust combiners for private information retrieval (PIR), oblivious transfer (OT), and bit commitment (BC). We propose a (1,2)robust PIRtoPIR combiner, and describe various optimizations based on properties of existing PIR protocols. The existence of simple PIRtoPIR combiners is somewhat surprising, since OT, a very closely related primitive, seems difficult to combine (Harnik et al., Eurocrypt’05). Furthermore, we present (1,2)robust PIRtoOT and PIRtoBC combiners. To the best of our knowledge these are the first constructions of AtoB combiners with A � = B. Such combiners, in addition to being interesting in their own right, offer insights into relationships between cryptographic primitives. In particular, our PIRtoOT combiner together with the impossibility result for OTcombiners of Harnik et al. rule out certain types of reductions of PIR to OT. Finally, we suggest a more finegrained approach to construction of robust combiners, which may lead to more efficient and practical combiners in many scenarios.
NonTrivial BlackBox Combiners for CollisionResistant HashFunctions don’t Exist
 Advances in Cryptology — Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the ou ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the output of any ` − k + 1 of the components, unfortunately this is not very practical as the length of the output of the combiner is quite large. We show that this is unavoidable as no blackbox (k, `)robust combiner whose output is significantly shorter than what can be achieved by concatenation exists. This answers a question of Boneh and Boyen (Crypto’06). 1
Robuster Combiners for Oblivious Transfer
"... Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong ass ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong assumptions underlying the candidate schemes. In a recent work Harnik et al. (Eurocrypt 2005) have proposed a (2; 3)robust combiner for oblivious transfer (OT), and have shown that (1; 2)robust OTcombiners of a certain type are impossible. In this paper we propose new, generalized notions of combiners for twoparty primitives, which capture the fact that in many twoparty protocols the security of one of the parties is unconditional, or is based on an assumption independent of the assumption underlying the security of the other party. This finegrained approach results in OTcombiners strictly stronger than the constructions known before. In particular, we propose an OTcombiner which guarantees secure OT even when only one candidate is secure for both parties, and every remaining candidate is flawed for one of the parties. Furthermore, we present an efficient uniform OTcombiner, i.e., a single combiner which is secure simultaneously for a wide range of candidates ’ failures. Finally, our definition allows for a very simple impossibility result, which shows that the proposed OTcombiners achieve optimal robustness.